Native operating system services can prevent security software from installing arbitrary hooking within the kernel of operating systems. Security software is thus prevented from filtering all behaviors of an electronic device, including potentially malicious actions by malware. Malware may include, but is not limited to, spyware, rootkits, password stealers, spam, sources of phishing attacks, sources of denial-of-service-attacks, viruses, loggers, Trojans, adware, or any other digital content that produces malicious activity.
The filtering functionality provided by the operating system may be limited, and only available on timelines decided by the operating system vendor. Malware can operate and reside at the same level as security software, particularly in the operating system kernel and thus compromise both the operating system and the integrity of the security software itself.
Many forms of aggressive kernel mode malware tamper with user mode memory to accomplish malicious tasks such as injecting malicious code dynamically, modifying user mode code sections to alter execution paths and redirect into malicious code, and modify user mode data structures to defeat security software. Additionally, some malware may attack anti-malware applications and processes from the kernel by tampering with process memory code and data sections to deceive the detection logic.
Kernel mode rootkits and other malware employ various methods to hide their presence from user mode applications and kernel mode device drivers. The techniques used may vary depending upon where the infection takes place. For example, malware attacking the kernel active process list of an operating system to delist or unlink a rootkit or other malware process. Other malware may tamper with the code sections of process access and enumeration functions.
In some instances, malware may attempt to intercept sensitive information by intercepting or “sniffing” content of an input/output (I/O) operation. I/O operations may include transmissions of data between an application executing on an electronic device and peripheral devices of the electronic device (e.g., display devices, keyboards, disk drives, etc.). By attempting to intercept such content, malware may obtain usernames, passwords, financial data, or other sensitive information.